ISM-1671 – Technical Resolution Guidance

What is ISM-1671?

Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.

Background

This control limits the use of macros in Microsoft Office applications to users with a valid business need.
Macros automate tasks in Office documents but can also be used to deliver harmful code. By default, macros are disabled for all users unless they can show a legitimate need, reducing the risk of malicious code and lowering the organization’s attack surface.

Applicability

This control is relevant to the following:

  • Maturity Level 1, 2, and 3 Controls

Evaluation Results

StatusDescription
EffectiveKeys are present and configured correctly.
IneffectiveKeys are not present or not configured correctly.
Not ApplicableMicrosoft Office is not installed or not applicable to this device.

Testing Parameters

The following is a list of Microsoft Office products:

  • Microsoft Access 2016 or greater
  • Microsoft Excel 2016 or greater
  • Microsoft PowerPoint 2016 or greater
  • Microsoft Visio 2016 or greater
  • Microsoft Word 2016 or greater
All office versions including 2016, 2019 and 365 are considered 2016.
By default, all Microsoft Office users are subject to a policy that blocks macro execution, with specific settings for each Office application, allowing only users with a clear business need to run them.

Macros can be disabled globally for all Office applications by applying the Disable VBA for Office applications policy, however to ensure individual applications don't override this setting, each one must also be configured to block macros.
All Microsoft Office 2016 – Global:
  • Automation Security – Enabled - Set the Automation Security level: Disable macros by default
  • Disable VBA for Office applications – Enabled
  • Allow mix of policy and user locations – Disabled
Microsoft Office 2016 – Products – Common settings - Access, Excel, Powerpoint, Visio, Word
  • Allow Trusted Locations on the network – Disable
  • Disable all Trusted Locations – Enabled
  • Turn off Trusted Documents – Enabled
  • Turn off Trusted Documents on the network – Enabled
  • VBA Macro Notification Settings - Enabled: Disable all without notification
Microsoft Excel:
  • Trust access to Visual Basic Project
Microsoft Powerpoint
  • Trust access to Visual Basic Project
Microsoft Project
  • Apply macro security settings to macros, add-ins and additional actions = Enabled
  • Security settings for macros – Enabled - Warning for signed, disable unsigned
  • VBA Macro Notification Settings - Enabled: Disable all without notification
Microsoft Publisher – additional policies
  • Publisher Automation Security Level - Enabled High (Disabled)
  • VBA Macro Notification Settings - Enabled: Disable all without notification
Microsoft Visio – additional policies
  • Enable Microsoft Visual Basic for Applications project creation – Disabled
  • Load Microsoft Visual Basic for Applications projects from text – Disabled
Microsoft Word
  • Trust access to Visual Basic Project
Policies/Description Registry Key Value
Turn off trusted documentsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security\trusted documentsdisabletrusteddocuments = 1
Turn off Trusted Documents on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security\trusted documentsdisablenetworktrusteddocuments = 1
VBA Macro Notification SettingsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\securityvbawarnings = 3 or 4
Allow Trusted Locations on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security\trusted locationsallownetworklocations = 0
Disable all trusted locationsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\access\security\trusted locationsalllocationsdisabled = 1
Trust access to Visual Basic ProjectHKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\securityaccessvbom = 0
Turn off trusted documentsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security\trusted documentsdisabletrusteddocuments = 1
Turn off Trusted Documents on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security\trusted documentsdisablenetworktrusteddocuments = 1
VBA Macro Notification SettingsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\securityvbawarnings = 3 or 4
Allow Trusted Locations on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security\trusted locationsallownetworklocations = 0
Disable all trusted locationsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\excel\security\trusted locationsalllocationsdisabled = 1
Automation SecurityHKCU\SOFTWARE\Policies\Microsoft\office\common\securityautomationsecurity = 3
Disable VBA for Office applicationsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\CommonVBAOFF = 1
Disable VBA for Office applicationsHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\16.0\CommonVBAOFF = 1
Allow mix of policy and user locationsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\common\security\trusted locationsallow user locations = 0
Apply macro security settings to macros, add-ins and additional actionsHKCU\SOFTWARE\policies\Microsoft\office\16.0\outlook\securitydonttrustinstalledfiles = 1
Security settings for macrosHKCU\SOFTWARE\policies\Microsoft\office\16.0\outlook\securityLevel = 3 or 4
Trust access to Visual Basic ProjectHKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\securityaccessvbom = 0
Turn off trusted documentsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security\trusted documentsdisabletrusteddocuments = 1
Turn off Trusted Documents on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security\trusted documentsdisablenetworktrusteddocuments = 1
VBA Macro Notification SettingsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\securityvbawarnings = 3 or 4
Allow Trusted Locations on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security\trusted locationsallownetworklocations = 0
Disable all trusted locationsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security\trusted locationsalllocationsdisabled = 1
Allow Trusted Locations on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\ms project\security\trusted locationsallownetworklocations = 0
Disable all trusted locationsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\ms project\security\trusted locationsalllocationsdisabled = 1
VBA Macro Notification SettingsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\ms project\securityvbawarnings = 3 or 4
Publisher Automation Security LevelHKCU\SOFTWARE\Policies\Microsoft\office\common\securityautomationsecuritypublisher = 3
VBA Macro Notification SettingsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\publisher\securityvbawarnings = 3 or 4
Enable Microsoft VBA project creationHKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\applicationcreatevbaprojects = 0
Load Microsoft VBA projects from textHKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\applicationloadvbaprojectsfromtext = 0
Allow Trusted Locations on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security\trusted locationsallownetworklocations = 0
Disable all trusted locationsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security\trusted locationsalllocationsdisabled = 1
Turn off trusted documentsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security\trusted documentsdisabletrusteddocuments = 1
Turn off Trusted Documents on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\security\trusted documentsdisablenetworktrusteddocuments = 1
VBA Macro Notification SettingsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\visio\securityvbawarnings = 3 or 4
Trust access to Visual Basic ProjectHKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\securityaccessvbom = 0
Turn off trusted documentsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security\trusted documentsdisabletrusteddocuments = 1
Turn off Trusted Documents on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security\trusted documentsdisablenetworktrusteddocuments = 1
VBA Macro Notification SettingsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\securityvbawarnings = 3 or 4
Allow Trusted Locations on the networkHKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security\trusted locationsallownetworklocations = 0
Disable all trusted locationsHKCU\SOFTWARE\Policies\Microsoft\office\16.0\word\security\trusted locationsalllocationsdisabled = 1

Remediation Steps

Group policy allows groups of users with a clear business need to run macros, while blocking everyone else from doing so.
Group policies to ensure that all macros are disabled:
Policy Name Value1 Value2
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center Turn off Trusted Documents Enabled
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center Turn off Trusted Documents on the network Enabled
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center VBA Macro Notification Settings Enabled Disable all without notification or Disable VBA macros except digitally signed macros
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center\Trusted Locations Allow Trusted Locations on the network Disabled
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center\Trusted Locations Disable all Trusted Locations Enabled
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center Trust access to Visual Basic Project Disabled
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center Turn off Trusted Documents Enabled
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center Turn off Trusted Documents on the network Enabled
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center VBA Macro Notification Settings Enabled Disable all without notification or Disable VBA macros except digitally signed macros
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\Trusted Locations Allow Trusted Locations on the network Disabled
User Configuration\Policies\Administration Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\Trusted Locations Disable all Trusted Locations Enabled
User Configuration\Policies\Administration Templates\Microsoft Office 2016\Security Settings Automation Security Enabled Set the Automation Security level: Disable macros by default
User Configuration\Policies\Administration Templates\Microsoft Office 2016\Security Settings Disable VBA for Microsoft Office applications Enabled
User Configuration\Policies\Administration Templates\Microsoft Office 2016\Security Settings\Trust Center Allow mix of policy and user locations Disabled
User Configuration\Policies\Administration Templates\Microsoft Outlook 2016\Security\Trust Center Apply macro security settings to macros, add-ins and additional actions Enabled
User Configuration\Policies\Administration Templates\Microsoft Outlook 2016\Security\Trust Center Security settings for macros Enabled Security Level: Never warn, disable all
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center Trust access to Visual Basic Project Disabled
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center Turn off Trusted Documents Enabled
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center Turn off Trusted Documents on the network Enabled
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center VBA Macro Notification Settings Enabled Disable all without notification or Disable VBA macros except digitally signed macros
User Configuration\Policies\Administration Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center\Trusted Locations Allow Trusted Locations on the network Disabled
User Configuration\Policies\Administration Templates\Microsoft Publisher 2016\Security Publisher Automation Security Level Enabled High (disabled)
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Macro Security Enable Microsoft Visual Basic for Applications project creation Disabled
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Macro Security Load Microsoft Visual Basic for Applications projects from text Disabled
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center Allow Trusted Locations on the network Disabled
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center Disable all Trusted Locations Enabled
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center Turn off Trusted Documents Enabled
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center Turn off Trusted Documents on the network Enabled
User Configuration\Policies\Administration Templates\Microsoft Visio 2016\Visio Options\Security\Trust Center VBA Macro Notification Settings Enabled Disable all without notification or Disable VBA macros except digitally signed macros
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center Trust access to Visual Basic Project Disabled
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center Turn off Trusted Documents Enabled
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center Turn off Trusted Documents on the network Enabled
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center VBA Macro Notification Settings Enabled Disable all without notification or Disable VBA macros except digitally signed macros
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center\Trusted Locations Allow Trusted Locations on the network Disabled
User Configuration\Policies\Administration Templates\Microsoft Word 2016\Word Options\Security\Trust Center\Trusted Locations Disable all Trusted Locations Enabled

Validation Process

Validation that the policy is correctly being applied on the end device.

Risk Consideration

Disabling macros for users without a clear business need reduces the risk of malware infections, unauthorized access, social engineering attacks, and insider threats associated with macros. This control aligns with security best practices by minimizing attack surfaces and helping organizations adhere to regulatory requirements while improving their overall security posture.